Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): bump xmldom to 0.8.0 #1270

Merged
merged 1 commit into from
Jan 4, 2022
Merged

fix(deps): bump xmldom to 0.8.0 #1270

merged 1 commit into from
Jan 4, 2022

Conversation

karfau
Copy link
Contributor

@karfau karfau commented Dec 25, 2021

Switching from package xmldom to @xmldom/xmldom, which resolves the security issue present in latest xmldom version 0.6.0:
GHSA-5fg8-2547-mr8q

The reason is that the maintainers were forced to switch to a scoped package since 0.7.0:
xmldom/xmldom#271

  • I used node 12 to run npm install.
  • I executed npm run test on my machine but some tests complained about missing titanium config in my home directory.
    Since I don't know what that means we will have to see what CI checks complain about.

I'm one of the xmldom maintainers. Don't hesitate to ask me questions.

@karfau
build(deps): bump xmldom to 0.8.0
35574e0 
Switching from package `xmldom` to `@xmldom/xmldom`, which resolves the security issue present in latest xmldom version 0.6.0:
GHSA-5fg8-2547-mr8q

The reason is that the maintainers were forced to switch to a scoped package since 0.7.0:
 xmldom/xmldom#271

- I used node 12 to run `npm install`.
- I executed `npm run test` on my machine but some tests complained about missing titanium config in my home directory.
  Since I don't know what that means we will have to see what CI checks complain about.

I'm one of the xmldom maintainers. Don't hesitate to ask me questions.
@karfau
Copy link
Contributor Author

karfau commented Dec 25, 2021

The link in the README to sign the CLA doesn't work for me:
image
Any other way/anything else I should try to sign it?

@build
Copy link

build commented Dec 25, 2021
edited
Loading

Messages
📖

✅ All tests are passing
Nice one! All 2755 tests are passing.

@xmldom/xmldom

Author: Unknown

Description: A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Homepage: https://github.com/xmldom/xmldom
Created4 months ago
Last Updated7 days ago
LicenseMIT
Maintainers4
Releases7
Direct Dependencies
Keywordsw3c, dom, xml, parser, javascript, DOMParser, XMLSerializer and ponyfill
 This README is too long to show.

New dependencies added: @xmldom/xmldom.

Generated by 🚫 dangerJS against 35574e0

@m1ga
Copy link
Contributor

m1ga commented Dec 26, 2021

@karfau thanks for the PR. I'm sure they'll find a way to get this merged 👍

@karfau
Copy link
Contributor Author

karfau commented Dec 26, 2021

Cool, just to make this clear: I don't care about the attribution, feel free to take the patch and create an own PR from an existing contributor and land it.

All I care about is that less people depend on the outdated verison 😃

@ewanharris
Copy link
Contributor

@karfau Apologies for that incorrect link, the correct link is https://cla.axway.com/

@karfau
Copy link
Contributor Author

karfau commented Dec 29, 2021

I signed it and all checks are green, happy merging

@ewanharris
Copy link
Contributor

Thanks for that @karfau, I'll look to merge this when I return from vacation next week.

@ewanharris ewanharris changed the title build(deps): bump xmldom to 0.8.0 fix(deps): bump xmldom to 0.8.0 Jan 4, 2022
@ewanharris ewanharris merged commit d0a4299 into tidev:master Jan 4, 2022
@karfau
Copy link
Contributor Author

karfau commented Jan 4, 2022

Happy about it being merged ❤️

Whats your plan/timeline to publish this to npm?
Will there be a mention here?

@karfau karfau deleted the update-xmldom branch January 4, 2022 11:24
@ewanharris
Copy link
Contributor

@karfau It should be automatically published within the next 20 minutes or so. We did have automatic PR comments on release but it got spammy so I'll drop a comment when it's released 🙂

@karfau
Copy link
Contributor Author

karfau commented Jan 4, 2022
edited
Loading

No need in that case, if it's an automated one/happens the same day I'm fine :)

build pushed a commit that referenced this pull request Jan 4, 2022
@semantic-release-bot
chore(release): 1.17.2 [skip ci]
6f8dd14 
## [1.17.2](1.17.1...1.17.2) (2022-01-04)

### Bug Fixes

* **deps:** bump xmldom to 0.8.0 ([#1270](#1270)) ([d0a4299](d0a4299))
@karfau
Copy link
Contributor Author

karfau commented Jan 10, 2022

PS: Since all existing xmldom versions have security issues you might want to evaluate if it's reasonable to deprecate version using that dependency.
It depends on, if the XML can be provided/modified by a potential attacker aka if it has to be treated as insecure user input anywhere.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@karfau @build @m1ga @ewanharris